RES 2013-1109 - PO from Continuum Security Solutions for DotComm cyber security end user awareness training program pMAHA.Np �';. i t4 y f
�49s
v
zY �
Office of the Mayor
.,....
.,
f � ,, ' ' ^• ' 1819 Famam Street,Suite 300
n7mt
',� Omaha,Nebraska 68183-0300
�e ti" (402)444-5000
o ��
�4TED FEDW�) C I'`! -',, • 14kX: (402)444-6059
City of Omaha
Jean Stothert,Mayor
Honorable President
and Members of the City Council,
Transmitted herewith is Resolution authorizing the purchase of and payment for professional
services related to the Douglas-Omaha Technology Commission (DotComm) Cyber Security
End User Awareness Training Program in the amount of$35,200.00. The End User Awareness
Program is part of the DotComm's ongoing efforts to secure the City and County information
networks through both network resiliency and end user awareness training.
Continuum Security Solutions is the sole vendor of the professional services required for the
establishment of the DotComm Cyber Security End User Awareness Training Program aimed at
raising City/County Cyber Security end user awareness. In accordance with the provisions of
Section 5.16, Home Rule Charter, in the event of a sole source vendor, the City Council may, by
resolution, authorize the Purchasing Division to issue a purchase order for the services.
The Cyber Security End User Awareness Program training is budgeted and will be funded up to
$35,200.00 by the Nebraska Emergency Management Agency (NEMA) FY 2010 Urban Area
Security Initiative, Award #2010-SS-T8-0013, approved by City Council on September 13,
2011, Ordinance No. 39112, Fund 12151, Organization 130762.
Respectfully submitted, Approved as to Funding:
. _
TLAA.__,___) cz,/ -7 , ,-) G.,-. , .L,_ f- `-'i
Jean Stothert Date Al Herink Date
Mayor Interim Finance Director
Approved:
I :-Li)r 1, 1 flz. il li)
H an Rights and Relations Date
P:\MYR\0060PR
CONTINUUMA MUTUAL Of OMAHA COMPANY
�
SECURITY SOLUTIONS '
aE& IH4 EB �R 3 3SI 9 1 SY$a If':+& 3.F3 H4 9&1
dl aaaa€s to - d E:fr`� .r €,€ !_ �r€f3, ,�lir i i :/4':,.4 I' �a �i '�ed�if
'stout
DOT.COMM
March 2013
Submitted by:
Bret Brasfield
Business Developer, Security Solutions
Chris Hoke CISSP, CISA, PCI QSA
Director, Security Solutions
3333 Farnam Street, Suite 1 Omaha, Nebraska 68131 800 780 0298 cwc-security.com
A MUTUAL Of OMAHA COMPANY
0.NTINUUM
SECURITY SOLUTIONSI''
........................................
g fit. '
a�
... ...................................
.................._........._._._..._.._
...£........._.........._._._._._._.... ?.6 '
Irana ackga .. vI d 41 rIt.¢ xa}.ai w�.e'i� fix.n�nr.x xxe� rsras� n r,«..x,..-eaw o-n srr aa,szvo-.e�rr+..e e.+. zza rraa xnczaamr,x xn.e,r re o-x=r._ 3
Caantinuurn Saa ur' y S€tutioI°L ,..xn...n,ro,,,tinn,., ...,,,x...en e...xx., ..,xrn,,.._,xn.,,..,...n,,,,.,,,,. x,.,o 4,
Corporate Profile 4
i..',v -rf €; r ,.,
Description of Service 5
A ar o kx[rtt $J:a5�� �,1� s
I'i, ,.s ,_..®r.,,, <.. ,. ,r..„,,e.<,,e x,.,3n„ ,,.,.,,,.aa� fl,.. .<<s.hxx.x.re>ax,=...r ..,« ,..,,_arsn_.,,, x
ncl
Continuum Security Solutions Responsibilities 9
DOT.COMM Responsibilities 9
At.'dt. . .,,,x,t nr...,,...xa....,, ,xe ,,.,_r•..x
Cost of Services 10
Project Change Control 10
r °a ,,,,n,,,,n....r4.®,,.n.,,r 4.,,,,. . xa...x,,.,., .,xr.x,
11
3333 Farnam Street, Suite 1 Omaha, Nebraska 68131 800.780.0298 cwc-security.com
E,...4 ev3 3vs e `ksr.at ;.�ssefi��' $,"ta,e� €��`d t u...e@t� $i sIp¢x� exw de...ga �4.. €si �wa� yrs a«a:+s"ka e�w L.,...r}.crsI:n 4d ..rrs.
DOT.COMM, in conjunction with Sarpy County, is asking for a comprehensive information security policy and
procedure review. The goal of this review is to assess the current state of the DOT.COMM information security
program.
This project will utilize a three-phase implementation. In the first phase, Continuum Security Solutions will conduct an
information security policy and procedure review.
In the second phase, Continuum Security Solutions will create end-user awareness training modules to support cyber
security protocol within the counties.The training modules will focus on DOT.COMM's information security policy, cyber
security, and general information technology best practices. They will be designed to support new and existing policies
for current county employees, as well as all new hires.
In the third phase, Continuum Security Solutions will expand the training to include modules for individuals with access
to confidential data and/or elevated access rights. Enterprise devices and remote connectivity(i.e., county-owned
devices, personal devices, and third party devices)will also be covered in this training expansion.
Qa. g.a jLJA„ . ° I U M F . � 1 �
„ ::C ` E1 .f 'E . .J 1 �
Corporate Profile
Continuum Security Solutions is a leading independent provider of information security solutions, engaged in all phases
of compliance, assessments, governance, and incident response.With expertise developed through decades of real-
world experience, our consultants take a holistic approach to clients' risk.We help clients recognize threats, evaluate
potential impacts and create individually tailored programs that transform their ability to manage exposure to future
detrimental activities. We do this by focusing on the following solutions:
PCI Compliance
0 We provide payment card industry compliance services to organizations that store, process, and/or
transmit payment card data. Our services provide organizations the tools they need to efficiently manage
payment card data risks and drive on-going compliance.
Assessments
mom We provide a comprehensive suite of services for the assessment and identification of vulnerabilities within
your applications, networks, and infrastructure. If you simply need to fulfill your compliance requirements,
�� or if you would like to test your network security against a full scope attack that simulates being targeted by
a malicious party, we have the expertise to meet your needs.
Governance
Continuum uses a business-centric approach to identify your processes and document security
I ` requirements. Long term sustainability of information security risk mitigation efforts are closely aligned with
how they fit into an organization's strategic plan. We offer strategic planning and consultation to ensure an
organization's best development and implementation of their information security programs.
Incident Response
Continuum provides incident response services to help businesses collect, preserve, analyze and produce
c information about digital media in a thorough, efficient, and cost-effective manner. Our forensic and data
experts collect, preserve, analyze, and produce information in a confidential, tightly controlled, and secure
environment/procedure that allows for proper preservation of electronic evidence(e-Evidence). We also
have experience testifying in Federal Court.
Description of Service
To help establish and define components of an information security awareness program to be utilized by DOT.COMM
and Sarpy County, Continuum Security Solutions will provide the following:
• A project plan for the development of information security awareness training which includes:
o Policy and procedure discovery review.
• A documented framework based on industry practices relative to DOT.COMM. The documented framework
will include:
o Information security program training.
o Identification of key control objectives derived from NIST and SANS security frameworks.
• A Roadmap of initiatives to implement and monitor controls relative to requirements set forth by UASI grant
funding.
• Review of program initiatives determined by DOT.COMM and Continuum Security Solutions.
The following table identifies additional elements that are included and excluded from the scope of the proposed
engagement:
Assessment of the DOT.COMM information X Assessment is based on
security program to include: defined frameworks
• Policies& procedures NIST/SANS
• Technical documentation Locations include Douglas
and Sarpy Counties
• Interviews with key
personnel
Provide prioritized recommendations and activities X
based on assessment finding
Provide detailed project plan X Project plan
Provide regular engagement updates X Weekly project updates at
a minimum
Transfer of knowledge related to assessment X Assessment interviews,
project updates
Document review for NIST security framework& X Policies and procedures
SANS best practices
Internal report and sanitized summary for county X
officials that will not reveal any vulnerabilities to
the public per security protocol.
System and network configuration review and X
remediation
Phase 1 Deliverable(Policy Procedure Review)7-10 business days:
Continuum will assess policy and procedures as it relates to information security protocol for Douglas and Sarpy
County. The core purpose of this deliverable is to ascertain the current state of the environment against the expected
standard. Continuum will issue a report on the gap assessment for each county, based on the current state. This report
will act as a policy and course development road map for the county. Continuum will not assist the counties with policy
mitigation as it is outside the scope of work, but we will use the report results for subsequent training development. It is
essential that these policies be complete and up-to-date in order to align with the corresponding security framework.
Phase 2 Deliverable(Course Development)5-7 days:
Continuum will develop courses that Douglas and Sarpy County will use to align staff within the information security
framework and best practice protocol.All courses will be scripted and outlined for county approval prior to production.
All course content will be standalone; they will be able to be taken on their own without prior or subsequent courses.
The courses listed below are representative samples of possible courses to be developed, however all content is
subject to change based on the specifics of the security framework.
• Passwords
• Citizen & Employee Confidentiality
• Information Security
• Bring Your Own Device (BYOD)
• Social Media
• Cyber-Security
Phase 3 Deliverable(Specialty Course Development)2-3 days:
Confidential and elevated access rights training will expand on the current training suite to include modules for
individuals with access to confidential data and/or elevated access rights. Enterprise devices and remote connectivity
(i.e., county-owned devices, personal devices, and third party devices)will also be covered in this training expansion.
Timelines:
The entire project will take approximately 30-45 days. A better part of the work will take approximately 20 days,
however Continuum builds in time for the county teams to acquire required documentation. The extra time built in
allows for review of content by county teams after Continuum has completed the assessments and training content.
I l3Eg �,x) t x�x+"� '¢u>e�#e:.0 x �.'M9 39" aeueaT u ( D 'a �*aa T
In order to conduct this project, Continuum Security Solutions will utilize the following methods for Information
Gathering and Analysis. These methods will ensure Continuum Security Solutions provides DOT.COMM with
deliverables that are well-thought out and precise to meet the objectives and requirements of the project.
Assessment Methodology Quality urance
Project Planning
The project planning
phase of the Project lnforanatit n f
Planning Gathering; Analysts 41 Validation
assessment
methodology allows
Continuum Security Solutions to
identify with the client to determine the final scope of the
assessment. A key aspect of the project planning phase is the
definition of critical success factors and reaffirmation of business Retticdiaticrn 1s` Re Porting
objectives of the client. In addition, an assessment work plan will be
finalized by Continuum Security Solutions and the client. Elements of
the project planning phase include:
• Agreement on overall scope of the assessment
• Identification of resources that will be assigned to the project
• Communication plan for the duration of the project
• Project timeline and milestones
Information Gathering
Information gathering is a key phase in the assessment methodology. This phase consists of methods to gain
information regarding the business processes and supporting technology within the scope of the project. Elements of
the information gathering phase include:
• Documentation request(policies, procedures, and other relevant documentation)
• Client questionnaires
• Fact-to-face interviews w/business process owners and support personnel
• On-site visit and walkthroughs
• Control testing (demonstrations, reports, scripts)
• Document information that potentially impacts the controls of the business processes
Analysis
The analysis phase of the assessment methodology involves the use of the information gathered in the assessment.
The review of the information and baseline to a selected control framework is performed and documented. Elements of
the analysis phase include:
• Documentation review
• Questionnaire review
• Baseline information gathered to control framework
• Identify possible gaps
• Document controls
• Formulate remediation recommendations
Validation
A key component to an assessment methodology is the validation of information gathered and controls reviewed.
Validations to ensure implemented controls are valid and risk ratings are appropriate provide the client with an accurate
assessment of their business processes and control environment. Elements of the analysis phase include:
• Follow-up interviews and testing if necessary on specific control elements
• Walkthrough with client of the initial assessment
• Narratives and process flows when applicable
Reporting
The reporting phase is a comprehensive overview of the work performed during the project. The report will address the
scope of the project, assessment methodology and comments, associated findings and communication to allow for
remediation. Elements of the reporting phase include:
• Review of report with project stakeholders
• Narrative of control environment
• Findings and remediation
• Associated work papers and documentation
Remediation
Remediation provides the ability for areas in which deficiencies are identified in relation to the selected control
framework to be mitigated and addressed by the client. Elements of the remediation phase include:
• Define action plans and timelines for remediation
• Communicate initiatives for remediation with stakeholders
• Execute initiatives for remediation
Quality Assurance
In order to provide the highest quality of work on each project, a series of reviews by experienced consultants and
managing consultants of work activities and client deliverables are conducted before they are delivered to the client for
review.
In order for the proposed engagement to be successful, roles and responsibilities for both DOT.COMM and Continuum
Security Solutions are defined.
Continuum Security Solutions Responsibilities
• Execution of the tasks identified for this project
• Day-to-day project management for the scope provided within this statement of work, including tracking and
resolution of project related issues, progress tracking and communication
• Assignment of a Managing Consultant to be the primary point of contact for all project management related
issues
• Periodic project status reports and meetings as determined by DOT.COMM to keep all project stakeholders
informed at all times
• Expertise and leadership in the information security program assessment, to include a thorough understanding
of industry frameworks
DOT.COMM Responsibilities
• Provide a project sponsor, a point of contact, and appropriate access to knowledgeable key resources in
information security, human resources, business units, and other resources as needed
• Designate a single point of contact to be responsible for all final decisions related to this proposal
• Provide any documentation and supporting information relevant to the success of the assessment
• Provide physical workspace for any work that requires on-site visits longer than one(1)business day
Yt,..a t A b h11 11 u.f 133ana9 :e¢P` E L„r.. ar�au..
The cost associated with this policy/procedure review is based on a fixed price and can be found on the schedule
below. The estimates set forth in this proposal are based on best effort to understand the needs of the client. If during
the process of conducting the engagement, the assessment team identifies and confirms through the project sponsor a
finding and/or issue that can affect the estimates in this proposal, the assessment team will adjust estimates
accordingly.
Cost of Services
Service-related activity will be billed according to the month in which the service was completed. Continuum Security
Solutions will provide services for the price(s)as identified in the tables below:
Policy Review/Cyber Security Awareness Training $35,200-Baseline Assessment
• Policy and Procedure Review Against Framework(s)
EndAdditional consulting outside of the
• User Awareness Training Modules
scope of this engagement will be done
• Specialized Training Modules for through a separate statement of work.
Confidential Data Security
It should be noted that the fees quoted above exclude out of pocket costs, including travel, which will be billed
separately as actual costs are incurred. All work is being performed locally; therefore no additional out of pocket
expenses should be incurred. Any work required out of area will have to be authorized and approved by DOT.COMM
prior to the engagement.
DOT.COMM will be billed monthly at a pro-rated rate based on the percent of the project that has been completed. The
entire project will be billed no later than June 15th 2013 in order to accommodate processing time set forth by
DOT.COMM. It is understood that some of the work may be performed after June 15th, however due to funding
availability and processing time, the final bill will need to submitted on or near June 15th 2013.
Sample Project Schedule: d i gym°
{ ......i...Nge Vulnertlilyllaaeaamerrl
"Pre amnR nctrvq _ •�
^3 IccY.o11
4 Fnelze Wortpltn
`S ooamer.aib�calrer� ;. ding
'.e emapa AAI�Nlon Asseeeme.4 F.
9 Re Mew Rest/As
10 VNtlele FMm05 wlCYere ::...
11 1eA11q carolled S, -
j2 Report OeeNapneN
10. D Rep MAW,
14 Revoew Dell Report wl Clem
19 RNnYze Report
,9 Sul 2Report
19 Menge r mrYNen
19 F 0e DI Metlnq
20. E•aaeaamer4 Cloave
21 Closure Metlrg ®1
22:. AssessmM Cpmpltletl ♦
Project Change Control
Any change to the scope, deliverables, or milestones contained within this proposal shall be made only in writing by
authorized representatives of Continuum Security Solutions and DOT.COMM.
pTA
T :t r .„,., N :,`E:
1. Acceptance
DOT.COMM shall have the right to evaluate each deliverable. Within five business days of delivery,
DOT.COMM shall give written notice of Continuum's acceptance or rejection of the deliverable. DOT.COMM
failure to provide written notice within this time frame shall be deemed to constitute acceptance.
2. Terms and Billing
This section describes the terms and billing of the SOW.
2.1. DOT.COMM agrees to pay the fees outlined in the SOW in United States Dollars (USD).
2.2. The Effective Date of this SOW is the date the second of the two parties signs this document, as
outlined in the"Execution" section.
2.3. Continuum Security Solutions will bill applicable travel and expenses at actual cost to Continuum
Security Solutions. Continuum Security Solutions will make every attempt to incur reasonable expenses
associated with the implementation of this project. Continuum Security Solutions will communicate to
DOT.COMM before travel is booked.
2.4. DOT.COMM will provide a purchase order(PO) number upon execution of this SOW:
PO#:
2.4.1. DOT.COMM to send all POs, including Bill to and Ship to information for all orders to
the billing and payment address identified below.
Attention to:
Company Name:
Address:
City: State: Zip:
Phone: Fax:
z .tea. .. ,,. I 1( �y
These Standard Terms and Conditions govern the Engagement Letter (or Proposal or Statement of Work, all
referred to as the "Proposal") attached hereto. These documents are collectively referred to, and comprise, the
"Agreement" between DOT.COMM and CONTINUUM WORLDWIDE CORPORATION, DBA CONTINUUM
SECURITY SOLUTIONS ("CONTINUUM"). By signing and accepting the Proposal, DOT.COMM accepts the
following Standard Terms and Conditions:
1. Nature of Services: CONTINUUM will use commercially reasonable efforts to perform the
services described in the Proposal. It is understood and agreed that services provided by CONTINUUM
may include advice and recommendations, but all decisions in connection with the implementation of
such advice and recommendations shall be the responsibility of, and will be made by, DOT.COMM. In
connection with performing its services, CONTINUUM shall be entitled to rely on all representations of
fact, decisions and approvals made by DOT.COMM.
2. Warranties: This is a services engagement. CONTINUUM warrants that it shall use commercially
reasonable efforts to perform the services hereunder and that such services shall, in all material respects,
conform to the specifications on the Proposal for a period of thirty (30) days after delivery or performance
of the services. CONTINUUM DISCLAIMS ALL OTHER WARRANTIES, EITHER EXPRESS OR
IMPLIED, INCLUDING, WITHOUT LIMITATION, WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE.
3. Limitation of Liability: CONTINUUM'S LIABILITY, IF ANY, TO DOT.COMM FOR ANY LOSS,
DAMAGE, CLAIM, LIABILITY, OR EXPENSES OF ANY KIND (INCLUDING WITHOUT LIMITATION
LOSS OF BUSINESS TO DOT.COMM) CAUSED DIRECTLY OR INDIRECTLY BY THE
PERFORMANCE OR NONPERFORMANCE OF OBLIGATIONS PURSUANT TO THIS AGREEMENT
OR BY THE NEGLIGENCE, ACTIVE OR PASSIVE, OF CONTINUUM SHALL BE EXCLUSIVELY
LIMITED TO AN AGGREGATE AMOUNT OF THE GENERAL MONEY DAMAGES IN A TOTAL
AMOUNT NOT TO EXCEED THE AMOUNTS PAID TO CONTINUUM UNDER THIS AGREEMENT.
UNDER NO CIRCUMSTANCES SHALL CONTINUUM BE LIABLE FOR SPECIAL, INCIDENTAL,
CONSEQUENTIAL, EXEMPLARY OR PUNITIVE DAMAGES OR LOST PROFITS, DESPITE THE FACT
THAT THE POSSIBILITY OF SUCH DAMAGES ARE OR MAY BE KNOWN TO CONTINUUM.
4. Allocation of Risk: DOT.COMM and CONTINUUM expressly acknowledge and agree that the
limitations and exclusions contained in Sections 2, 3 and 5 have been the subject of active and complete
negotiation between the parties and represent the parties' agreement as the allocation of risk between the
parties based on the level of risk to CONTINUUM and DOT.COMM associated with their respective
obligations under this Agreement. The fees payable to CONTINUUM in connection herewith reflect this
allocation of risk and the exclusion of consequential damages in this Agreement. The parties
acknowledge that but for the limitations in Sections 2, 3 and 5 the parties would not have entered into this
Agreement.
5. DOT.COMM Acknowledgements and Representations (Not applicable to electronic and
paper discovery and support services):
5.1. DOT.COMM Understandings. DOT.COMM agrees and understands that: (a) CONTINUUM
does not guarantee that the services will detect or remediate all security weaknesses, potential security
problems or potential breaches; (b) certain types of services may cause equipment, software or
communications failures or otherwise interrupt or disrupt network services; and (c) DOT.COMM is
responsible for performing adequate backups and disaster preparedness prior to the performance of any
services.
5.2. DOT.COMM Representations and Warranties. DOT.COMM represents and warrants that it will
use the tangible items specified as deliverables or work product in the Proposal which are provided to
DOT.COMM ("Deliverables") only for its own internal use and as communicated by CONTINUUM.
DOT.COMM shall make no representations to any other person or entity regarding the services or
Deliverables, and will hold CONTINUUM harmless from any claims based upon such representations, as
well as any costs or expenses arising therefrom (including, but not limited to, attorneys' fees and
expenses).
6. Ownership and Intellectual Property:
6.1. CONTINUUM Technology. CONTINUUM has created, acquired or otherwise has rights in, and
may, in connection with the performance of services hereunder, employ, provide, modify, create, acquire
or otherwise obtain rights in, various concepts, ideas, methods, methodologies, procedures, processes,
know-how, and techniques (including, without limitation, function, process, system and data models);
templates; generalized features of the structure, sequence and organization of software, user interfaces
and screen designs; general purpose consulting and software tools, utilities and routines; and logic,
coherence and methods of operation of systems (collectively, the"CONTINUUM Technology").
6.2. Ownership of CONTINUUM Property:
6.2.1. To the extent that CONTINUUM utilizes any of its property (including, without limitation, the
CONTINUUM Technology or any hardware or software of CONTINUUM) in connection with the
performance of services hereunder, such property shall remain the property of CONTINUUM and,
except for the license expressly granted in Section 6.3, DOT.COMM shall acquire no right or
interest in such property.
6.2.2. Notwithstanding anything herein to the contrary, the parties acknowledge and agree that
(a) CONTINUUM shall own all right, title, and interest, including, without limitation, all rights under
all copyright, patent and other intellectual property laws, in and to the any of the Deliverables and
the CONTINUUM Technology; and, (b) CONTINUUM may employ, modify, disclose, and
otherwise exploit the Deliverables or CONTINUUM Technology (including, without limitation,
providing services or creating programming or materials for other DOT.COMM). CONTINUUM
does not agree to any terms that may be construed as precluding or limiting in any way its right to
(a) provide consulting or other services of any kind or nature whatsoever to any person or entity
as CONTINUUM in its sole discretion deems appropriate; or, (b) develop for itself, or for others,
materials that are competitive with those produced as a result of the services provided hereunder,
irrespective of their similarity to any Deliverable.
6.2.3. Notwithstanding anything to the contrary, CONTINUUM shall protect any DOT.COMM
Confidential Information as set forth in Section 7 which may be embedded in the Deliverables.
6.3. License to Deliverables. Upon full and final payment to CONTINUUM hereunder, DOT.COMM
shall receive a royalty-free, fully paid-up, worldwide, non-exclusive license to use any of the Deliverables.
DOT.COMM agrees that this is not a work-made-for-hire agreement and that CONTINUUM shall retain
sole ownership of all Deliverables. DOT.COMM further agrees not to re-sell, license or otherwise provide
any Deliverable to any third party.
7. Confidentiality:
7.1. Confidential Information. Each party may provide to the other, and each party may come into
possession of information relating to the other party's business which is considered confidential (the
"Confidential Information"). Confidential Information shall include, without limitation, all CONTINUUM
Technology, all Deliverables, all information marked confidential, all trade secrets of the parties (as
defined under the applicable state trade secret law), and all information relating to each party's business
plans and operations, products, costs, marketing statistics, all DOT.COMM information, statistics, reports,
data, lists, security assessments and analysis, future plans, business affairs, process information,
technical information, finances, marketing plans and pricing strategy. Notwithstanding the foregoing, the
term Confidential Information shall not include information that (a) is publicly known at the time of its
disclosure, (b) is lawfully received by the receiving party from a third party not under an obligation of
confidentiality to the disclosing party, (c) is published or otherwise made known to the public by the
disclosing party, or (d) was generated independently by the receiving party before disclosure by the
disclosing party.
7.2. Restrictions. Neither party shall disclose any of the other party's Confidential Information to any
person, or permit any person to use, examine or reproduce Confidential Information without the prior
written consent of the other party, unless such Confidential Information has become public knowledge
through means other than breach of this Agreement or unless disclosure is required by a valid subpoena,
court order or applicable law. Each party shall exercise at least the same degree of care to protect the
confidentiality of the other party's Confidential Information which it exercises to protect the confidentiality
of its own similar confidential information, but in no event less than reasonable care. As long as a party
meets this standard of care, that party shall have no additional obligations or liability regarding
confidentiality.
7.3. Limited Rights of Disclosure. Anything to the contrary notwithstanding, CONTINUUM may, without
the prior specific written authorization of DOT.COMM, (a) disclose and make available DOT.COMM
Confidential Information, on a confidential and restricted basis, to its employees and independent
contractors who have a reasonable need to know or have access to such information and materials in
connection with the services, and (b) use DOT.COMM Confidential Information for any proper purpose
related to the services.
7.4. Notice of Breach. Each party will immediately notify the other party of any theft or unauthorized
disclosure, reproduction or use of any Confidential Information, or any part of such information, of which
such party has knowledge. The notice shall include the name, title and business address of any person,
whether or not employed by the notifying party whom such party reasonably believes has unauthorized
possession of or made unauthorized disclosure, reproduction or use of Confidential Information and a
detailed description of the Confidential Information at issue and the factual circumstances surrounding the
unauthorized disclosure, theft or loss.
7.5. Injunctive Relief. Each party acknowledges that any violation of the provisions of this Section 7,
may result in irreparable harm to the other party and that such other party may have no adequate remedy
at law. The parties agree that in addition to a right to terminate this Agreement upon a breach of
confidentiality, each party shall have the right to seek equitable relief by the way of injunction to restrain
such violation and to such further relief it may be entitled at law or in equity.
8. Fees and Payment Terms:
8.1. Fees. Fees and payment terms for the services are outlined in the Proposal. Unless otherwise
provided in the Proposal, fees may be modified by CONTINUUM upon thirty (30) days written notice to
DOT.COMM.
8.2. Payment Terms. Invoices upon which payment is not received within thirty (30) days of the
invoice date shall accrue a late charge of the lesser of (a) 1.5% percent each month or (b) the highest
rate allowable by law, in each case compounded monthly to the extent allowable by law. CONTINUUM
has no obligation to perform services in the event invoices remain unpaid.
9. Cancellation: This Agreement may be terminated upon the written mutual agreement of both
parties.
10. Cooperation: DOT.COMM shall cooperate with CONTINUUM in the performance by
CONTINUUM of its services hereunder, including, without limitation, providing CONTINUUM with
reasonable facilities and timely access to data, information and personnel of the DOT.COMM.
DOT.COMM shall be responsible for the performance of its personnel and agents and for the accuracy
and completeness of all data and information provided to CONTINUUM for purposes of the performance
by CONTINUUM of its services hereunder.
11. No Third Party Beneficiary: This Agreement is for the sole and exclusive benefit of the parties
hereto, and their respective successors and permitted assigns. The parties do not intend to create any
third party beneficiaries or other incidental beneficiaries and nothing herein, express or implied, is
intended to or shall confer upon any other person any legal or equitable right, benefit or remedy of any
nature whatsoever under or by reason of this Agreement.
12. Force Maieure: Neither party shall be liable for any delays or non-performance resulting from
circumstances or causes beyond its reasonable control that could not have been avoided despite its use
of commercially reasonable efforts to prevent undue delay, including, without limitation, acts or omissions
or the failure to cooperate by the other party, acts or omissions or the failure to cooperate by any third
party, fire or other casualty, act of God, strike or labor dispute, war or other civil unrest, or any law, order
or requirement of any governmental agency or authority.
13. Entire Agreement, Amendment and Notices: This Agreement is the entire agreement between
CONTINUUM and DOT.COMM with respect to this engagement. It supersedes all other oral and written
representations, understandings or agreements relating to this engagement, and may not be amended
except by written agreement signed by the parties. In the event of any conflict between the Standard
Terms and Conditions and the Proposal, the Standard Terms and Conditions shall govern and control,
unless expressly and unambiguously agreed to by the parties in the Proposal, and only to the extent that
it specifically references the portion(s) of the Standard Terms and Conditions it means to supersede. All
notices hereunder shall be (a) in writing, (b) delivered to the representatives of the parties at the
addresses first set forth in the Agreement, unless changed by either party by notice to the other party,
and (c) effective upon receipt.
14. Governing Law and Severability: This Agreement shall be governed by the laws of the State of
Nebraska (without regard to conflict of law principles of that State or any other state). The parties agree
that any cause of action or litigation involving the alleged breach or enforcement of this Agreement or any
claim arising hereunder shall be filed exclusively in federal or state court in Douglas County, Nebraska,
and DOT.COMM hereby irrevocably consents to the jurisdiction of any federal or state court in Douglas
County, Nebraska. If any provision of this Agreement is found by a court of competent jurisdiction to be
unenforceable, such provision shall not affect the other provisions, but such unenforceable provision shall
be deemed modified to the extent necessary to render it enforceable, preserving to the fullest extent
permissible the intent of the parties set forth herein.
15. Trademarks, Trade Names, etc.: Neither party shall use or reproduce, by any means, any logo,
trademark, service mark, copyrighted material or name of the other party or its affiliates, in any
advertising, publicity releases, company lists or otherwise, without the prior written consent of such party.
16. Independent Contractor: Each of the parties hereto is an independent contractor and neither
party is, nor shall be considered to be, an agent, distributor, partner, fiduciary or representative of the
other. Neither party shall act or represent itself, directly or by implication, in any such capacity in respect
of the other or in any manner assume or create any obligation on behalf of, or in the name of, the other.
17. Insurance: CONTINUUM agrees to carry commercial general liability and property damage
insurance with combined bodily injury and property damage limits of at least $1,000,000 for each
occurrence and $2,000,000 aggregate. CONTINUUM also agrees, upon request, to forward a certificate
of insurance verifying said coverage within thirty (30) days of the execution of this Agreement.
18. Assignment: DOT.COMM shall not assign its rights under this Agreement to any third party
without the prior written consent of CONTINUUM. CONTINUUM may assign this Agreement or engage
third party independent contractors to assist in providing services hereunder without the consent of
DOT.COMM.
19. No-Hire: Neither party shall, without the prior written consent of the other party, hire as an
employee, sole proprietor or independent contractor, any employee of the other party who participated
directly in that party's performance under this Agreement, prior to the expiration of: (a) one (1) year from
the last date of employment by the other party, or(b) one (1) year from the completion of that employee's
performance under this Agreement, whichever occurs earlier. If the other party's permission is required
by this Section, then the hiring party must inform the other party at least seven (7) business days prior to
offering the position to the other party's employee of the hiring party's intention to make the offer.
Notwithstanding the foregoing, (a) the hiring party shall not be required to obtain the other party's
permission to hire any former employee who left the employ of the other party without personal
solicitation of the departing employee by the hiring party; and (b) DOT.COMM shall not be required to
obtain CONTINUUM's permission to contract with another consulting or contracting firm which intends to
place CONTINUUM's former employee on a DOT.COMM project.
20. Statute of Limitations: No action (including arbitration), regardless of form, arising out of
transactions under this Agreement, shall be brought by either party more than one (1) year after the
cause of action has accrued. This limitation shall not apply to any action brought by CONTINUUM for
collection of any amounts owed by DOT.COMM to CONTINUUM under this Agreement.
21. Changes: Any changes to this Agreement will be made in writing and subject to mutual
agreement as to content and equitable adjustment to contract price, if applicable.
22. Pricing Quotes: Quotes are valid for 15 days after date of issuance, unless otherwise noted.
2.5. If DOT.COMM issues a purchase order (hereinafter a "Non-Conforming Document") to
Continuum Security Solutions the only terms and conditions of such Non-Conforming
Document that are valid, are the names of products and/or services provided (i.e., unit,
quantity, unit price, extended price, order date, and delivery date). Notwithstanding the
foregoing, all other pre-printed or added terms and conditions of such Non-Conforming
Document or like forms used by DOT.COMM to implement this SOW, which are intended to
vary the terms of this SOW herein, are void with respect to the SOW, even if acknowledged in
writing by Continuum Security Solutions.
2.6. DOT.COMM to send all payments to the following billing and payment address:
Continuum Security Solutions
Attn: Accounts Receivable
3333 Farnam Street, Suite 1
Omaha, NE 68131
USA
3. Execution
In Witness Whereof, the parties have caused this SOW to be executed, and do each hereby warrant and
represent, that their respective signatory whose signature appears below, has been, and is, on the date of
this SOW, duly authorized by all necessary and appropriate corporate action, to execute this SOW. By
signing below, you authorize Continuum Security Solutions to proceed with the Services as outlined in
this SOW.
Proposed by: Agreed Upon and Accepted by:
Continuum Security Solutions DOT.COMM
Signature:
Printed Name:
Title:
Date:
:y
NON-DISCLOSURE AGREEMENT
THIS NON-DISCLOSURE AGREEMENT (this "Agreement") effective the February 19th, 2013
is entered into between Continuum Worldwide Corporation DBA Continuum
Security Solutions ("Continuum") located at 3333 Farnam St, Suite 1, Omaha, NE
68131 and DOT.COMM, located at 401 S. 18th St. Omaha NE, 68102
PRELIMINARY STATEMENT
Continuum and CORPORATION (the "Parties") may have discussions relating to potential
business opportunities between the Parties. Discussion of these potential business
opportunities will necessitate disclosure of certain financial and other confidential information by
the Parties. The Parties desire to restrict the use of the confidential information disclosed in the
Parties' discussions to use in evaluation of the business opportunities.
NOW THEREFORE, the Parties agree as follows.
Definition of Confidential Information. As used herein, "Confidential Information" will mean any
and all technical and non-technical information provided by a Party (the "Disclosing Party") to
the other Party (the "Recipient"), which may include without limitation information regarding:
(a) patent and patent applications, (b) trade secrets, and (c) proprietary and confidential
information, techniques, sketches, drawings, works of authorship, models, inventions, know-
how, processes, apparatuses, equipment, algorithms, software programs, software source
documents, and formulae related to the current, future, and proposed products and services of
the Disclosing Party, including without limitation the Disclosing Party's information concerning
research, experimental work, development, design details and specifications, engineering,
financial information, procurement requirements, purchasing, manufacturing, customer lists,
investors, employees, business and contractual relationships, business forecasts, sales and
merchandising, marketing plans and information the Disclosing Party provides regarding third
parties.
Disclosure/Use of Confidential Information. Subject to Section 3, the Recipient agrees that at all
times and notwithstanding any termination or expiration of this Agreement, it will hold in strict
confidence and not disclose to any third party any Confidential Information, except as approved
in writing by the Disclosing Party, and will use the Confidential Information for no purpose other
than as provided in this Agreement. The Recipient will limit access to the Confidential
Information to only those of its employees or authorized representatives having a need to know
and who have signed confidentiality agreements containing, or are otherwise bound by,
confidentiality obligations at least as restrictive as those contained herein. The Parties recognize
and agree that nothing contained in this Agreement will be construed as granting any property
rights, by license or otherwise, to any Confidential Information disclosed under this Agreement,
or to any invention or any patent, copyright, trademark, or other intellectual property right that
has issued or that may issue, based on such Confidential Information. The Parties will not
make, have made, use or sell for any purpose any product or other item using, incorporating or
derived from any Confidential Information.
Exceptions. The Recipient will have no obligations under this Agreement with respect to a
specific portion of the Confidential Information if the Recipient can demonstrate with competent
evidence that such Confidential Information:
Was in the public domain at the time it was disclosed to the Recipient or entered the
public domain subsequent to the time it was disclosed to the Recipient, through no fault of the
Recipient;
Was in the Recipient's possession free of any obligation of confidence at the time it was
disclosed to the Recipient;
Wan be shown by the Recipient to have been independently developed by it or its
subsidiaries, affiliates or independent contractors without the use of Confidential Information; or
Was rightfully communicated to the Recipient free of any obligation of confidence
subsequent to the time it was disclosed to the Recipient.
Notwithstanding the above, the Recipient may disclose certain Confidential Information, without
violating the obligations of this Agreement, to the extent such disclosure is required by a valid
order of a court or other governmental body having jurisdiction, provided that the Recipient
provides the Disclosing Party with reasonable prior written notice of such disclosure and makes
a reasonable effort to obtain, or to assist the Disclosing Party in obtaining, a protective order
preventing or limiting the disclosure and/or requiring that the Confidential Information so
disclosed be used only for the purposes for which the law or regulation required, or for which the
order was issued.
Loss of Confidential Information. The Recipient will immediately notify the Disclosing Party in
the event of any loss or unauthorized disclosure of any Confidential Information.
Return of Confidential Information. Upon termination or expiration of this Agreement, or upon
written request of the Disclosing Party, the Recipient will promptly return to the Disclosing Party
all documents and other tangible materials representing any Confidential Information and all
copies thereof.
Further Restrictions. Confidential Information will not be reproduced in any form except as
required to accomplish the intent of this Agreement. Any reproduction of any Confidential
Information will remain the property of the Disclosing Party and will contain any and all
confidential or proprietary notices or legends that appear on the original, unless otherwise
authorized in writing by the Disclosing Party.
Termination. This Agreement will terminate two (2) years after the Effective Date. The Parties
obligations under this Agreement will survive termination of this Agreement and will be binding
upon the Recipient's heirs, successors, and assigns.
Governing Law. This Agreement will be governed by and construed in accordance with the
laws of Nebraska, without giving effect to conflict of laws principles of that State or any other
state. Any disputes under this Agreement may be brought in the state courts and the Federal
courts located in Douglas County, Nebraska, and the parties hereby consent to the personal
jurisdiction and exclusive venue of these courts. This Agreement may not be amended except
by a writing signed by both parties.
Acknowledgment of Confidential Nature of Confidential Information. The Parties acknowledge
the Confidential Information is confidential and proprietary to the disclosing party and disclosure
of the Confidential Information could be seriously harmful to the business prospects of the
Disclosing Party. Both Parties acknowledge that the Disclosing Party may not have adequate
remedies at law for a breach by Recipient of its obligations under this Agreement and money
damages suffered by the Disclosing Party as a result of any such breach may be difficult or
impossible to determine. Accordingly, Recipient agrees that Disclosing Party, without the
requirement of posting any bond or other security, in addition to all other remedies available at
law, shall be entitled to seek and obtain equitable relief, including injunctive relief, in the event of
any such breach. The successful party in enforcing any obligations hereunder shall be
reimbursed by the unsuccessful party for all its costs and expenses, including reasonable
attorneys' fees related to such enforcement.
Indemnification. The Recipient shall defend, hold harmless and indemnify the Disclosing Party
from any claims, damages, liabilities, losses and expenses, including costs of investigation,
court costs and attorneys' fees, arising out of allegations of a third party (including, but not
limited to, allegations by a governmental agency) that the Disclosing Party breached a duty of
confidentiality owed to that third party, if such breach of confidentiality was caused by the
actions of the Recipient or its employees, agents or contractors.
Approval to Export. The Parties will not export, directly or indirectly, any technical data
acquired under this Agreement or any product utilizing any such data to any country for which
the U.S. Government or an agency thereof at the time of export requires an export license or
other governmental approval, without first obtaining such license or approval.
Severability. If any provision of this Agreement shall be held invalid or unenforceable by any
court of competent jurisdiction, such holding shall not invalidate or render unenforceable any
other provision hereof and this Agreement shall be construed as restricting, limiting or
eliminating the particular provision held to be invalid or unenforceable so as to render the entire
Agreement valid and enforceable to the fullest extent possible.
Notices. All notices or reports permitted or required under this Agreement will be in writing and
will be delivered by personal delivery, electronic mail, facsimile transmission or by overnight,
certified or registered mail, return receipt requested, and will be deemed given upon personal
delivery, five (5) days after deposit in the mail, or upon acknowledgment of receipt of electronic
transmission. Notices will be sent to the addresses set forth at the end of this Agreement or
such other address as either party may specify in writing.
IN WITNESS WHEREOF, the Parties hereto or their duly authorized representatives have executed
this Agreement.
Continuum Worldwide Corporation DOT.COMM
DBA Continuum Security Solutions
By: Bret Brasfield By:
Title: Business Developer Title:
Date: 3/05/13 Date:
T;
JUSTIFICATION FOR NON-COMPETITIVE PROCUREMENT
(SOLE SOURCE JUSTIFICATION)
PARAGRAPH 1: A brief description of the program and what is being contracted.
We are working on a program to increase the cyber security education for Sarpy and Douglas
County as part of the 2010 UASI Cyber Security Grant. We looked for one of our trusted
vendors who could review our existing cyber security policy and create user education training
videos custom made for Douglas County and Sarpy County,Nebraska. This custom training to
address the cyber security needs of local government and model them after our policies
specifically.
PARAGRAPH 2: Explanation of why a non-competitive contract is necessary, to
include the following:
• Expertise of the contractor.
• Management.
• Responsiveness.
• Knowledge of the program.
• Experience of personnel.
Continuum, the vendor that was selected was familiar with the environment at both Sarpy and
Douglas counties. They are trusted and we knew they could get the work done in a timely
fashion. They are very flexible and offered both the policy review with custom video work.
Continuum, which is a Mutual of Omaha company is a proven provider of custom IT security
services including: training, vulnerability scanning, incident response, and other security tasks.
Their staff is very intelligent and has provided excellent insight on previous engagements, we
knew they would provide a solid service.
PARAGRAPH 3: Time Contracts
• When contractual coverage is required and why.
• Impact on program if dates are not met.
• How long would it take another contractor to reach the same
level of competence? (Equate to dollars if desired)
PARAGRAPH 4: Uniqueness
Other quality and trusted vendors we looked at, FishNet, Forsythe, and SANS had on-line cyber
security training modules, but were very canned. Some could do the modifications to the
curriculum, but it was not an easy or cheap task to perform.
Continuum has done the custom training modules for other companies and even started the
conversation of how a custom module for our environment would be the best. They stated that
they would even have custom video (vignettes) created to better train the visual learners.
Page 1 of 2
As the only vendor we talked to out the group that had this custom approach, they were indeed
unique.
PARAGRAPH 5: Other points that should be covered to make a convincing case.
PARAGRAPH 6: A declaration that this action is in the best interest of the agency.
By going with Continuum, we are selecting a trusted and secure vendor who is responsive,
creative, and accurate. This vendor is the best choice for the task at hand for both Sarpy County
and Douglas County.
Reference:
U.S. Department of Justice
Office of Justice Programs
Financial Guide 2005
http://www.ojp.usdoj.gov/FinGuide/
Chapter 10 — Procurement Under Awards of Federal Assistance, #3
Page 2 of 2
C-25A CITY OF OMAHA
LEGISLATIVE CHAMBER
Omaha,Nebraska
RESOLVED BY THE CITY COUNCIL OF THE CITY OF OMAHA:
WHEREAS, Continuum Security Solutions submitted a proposal in the amount of thirty
five thousand two hundred dollars ($35,200.00) for professional services required for the
establishment of the Douglas-Omaha Technology Commission (DotComm) Cyber Security End
User Awareness Training Program which will be an be administered and overseen by DotComm;
and,
WHEREAS, Continuum Security Solutions is the sole source vendor for this product as
provided in Chapter 5.16 of the Home Rule Charter; and,
WHEREAS, the Cyber Security End User Awareness Program training will be an
important step toward a more secure City/County information network; and,
WHEREAS, $35,200.00 of the purchase is budgeted from and will be funded by the
Nebraska Emergency Management Agency (NEMA) FY 2010 Urban Area Security Initiative,
Award# 2010-SS-T8-0013, Fund 12151, Organization 130762; and,
WHEREAS, the Mayor recommends your favorable consideration of this Resolution.
NOW THEREFORE, BE IT RESOLVED BY THE CITY COUNCIL OF THE CITY OF
OMAHA:
THAT, as recommended by the Mayor, the purchase from Continuum Security Solutions,
a sole source vendor provided in Chapter 5.16 of the Home Rule Charter in the amount of thirty
five thousand two hundred dollars ($35,200.00) for the DotComm Cyber Security End User
Awareness Training Program that will be an important step toward a more secure City/County
information network, is hereby approved.
FURTHER THAT, the Finance Department of the City of Omaha is authorized to pay
Continuum Security Solutions in the amount of$35,200.00 for the procurement of professional
services related to the DotComm Cyber Security End User Awareness Training Program,
budgeted from and funded by the Nebraska Emergency Management Agency (NEMA) FY 2010
Urban Area Security Initiative, Award# 2010-SS-T8-0013, Fund 12151, Organization 130762.
APPROVED AS TO FORM:
By APAtiatig.
Councilmember SSISTANT CITY ATTORNEY DATE
Adopted AUG 1 3 20.13 7-
4,444 ,.,/� P:\MYR\0060PR
1 Cit Clerk g/(3//3
Approve
UCfI-� �`J
Mayor
:i/6r"
NO. //
Resolution by
Res.that,as recommended by the Mayor,the purchase from
Continuum Security Solutions, a sole source vendor
provided in Chapter 5.16 of the Home Rule Charter in the
amount of thirty five thousand two hundred dollars
($35,200.00) for the DotComm Cyber Security End User
Awareness Training Program that will be an important step
toward a more secure City/County information network, is
hereby approved.
Further that,the Finance Department of the City of Omaha is
authorized to pay Continuum Security Solutions in the
amount of$35,200.00 for the procurement of professional
services related to the DotComm Cyber Security End User
Awareness Training Program,budgeted from and funded by
the Nebraska Emergency Management Agency(NEMA)FY
2010 Urban Area Security Initiative,Award#2010-SS-T8-
0013, Fund 12151, Organization 130762.
P:\MYR\0060PR
Presented to City Council
AUG 1 3 2013
Adopted
gaiter grown
City Clerk